Using Authy to add 2-Factor Authentication To Your Auth0 Applications

We at Authy are always looking to make it easier for our clients to add 2FA to their applications. In fact, with just a few API calls you can be up and running in no time. However,  you may already be using a cloud service for your entire authentication stack, you may find this perspective from Auth0, one of the leading vendors in this space, of  interest. They recently wrote a wonderful and detailed guide on how to integrate Authy with their own authentication platform. We hope you find it useful and informative! Enjoy!


From Auth0:

Keeping your user accounts safe is a common issue and worry for every team writing software. One way to protect accounts that is becoming exponentially popular is 2-Factor Authentication (2FA for short). We love 2FA at Auth0: we have written tons of content on what 2FA is and how to use it with Auth0.

Authy has become a standout in the 2FA scene; between recently adding one-touch support and having cross-platform authenticator applications, it’s quickly becoming a robust and well-designed solution– for both developers and users!

By using the extensibility of Auth0’s rules engine, and the useful TOTP API from Authy, and the snappy aid of a Webtask.io webtask, we can add Authy support to an Auth0-enabled application with ease.

How this works

Ath0Diagram
How our 2FA Implementation Works (Click to see the image larger)

So this diagram seems like a lot to digest, but we’ll walk through it step-by-step:

Steps 1, 2, and 3 comprise a normal Auth0 login; the user provides credentials or selects a social provider and is redirected to the social provider to input their credentials.

Once the user has successfully provided credentials, the Auth0 Rules Engine kicks in. The same rule will run twice: the first time, the code will determine if this user has an authy account associated with it. If the user has not registered with Authy, it will redirect back to our app to ask the user for their phone number:

Auth0Login
Our Authy Registration Page

After the user has given us their phone number, we’ll use the Authy TOTP API to register that user, and the Auth0 Management API to update the user’s information with their Authy ID. When redirected to our webtask, the webtask will display a dialog asking for a One-Time Passcode (OTP) from their Authy authenticator:

Auth0-OTP

Authy OTP Dialog

When the user opens their Authy application, they’ll see our app in the list of options:

2016-08-12_0851

Our Authy App with our OTP

The user will enter the code that appears on their phone into our OTP dialog and hit ‘Submit’.

Upon submitting the code, our webtask sends that OTP back to the Auth0 rules engine, which will run our rule again– but this time, it will know to send the OTP to the Authy TOTP API for verification. When the Authy TOTP API responds, the rule either finishes signing the user in if the OTP id verified, or sends them back to the OTP dialog if the OTP is denied.

Once the rules engine wraps up with a valid OTP, the user will be signed in and verified not just by Auth0 but also with Authy’s 2FA.

The Code

2016-08-12_0853

The code is split up into three parts: Your application server, Auth0 rule, and Webtask. Let’s start with running this application. You can download the code here.

If you’d like to learn more about the base project, it’s our seed project for Node.JS from our documentation pages. It’s a basic Express server that allows a user to log in, see their portrait and username, and logout.

Getting the Project Running

You’ll need a few things to get started with this project in order to have it run smoothly. First, a grocery list of keys and credentials you’ll need:

Once you have these, you’ll want to add a file called .env to the root folder of the project, that will contain the following:

You’ll also want to modify the wt-run  file in the root directory. This file shortens the command needed to deploy your webtask:

>To deploy your webtask, you’ll need to install the webtask cli if you haven’t already, then, in your root project folder in your terminal, run:

Then,open the rules tab in the dashboard, create a new rule, and paste the modified contents of rule.js  into the editor window, and click ‘Save’.

Your 2FA should now be up and running, so to start your server, you’ll run:

In your root project folder in your terminal, and navigate to  http://localhost:3000 in your browser.

Caveat

There is a caveat with this project. If you’re going to log into a social provider and use 2FA, you’ll need to use your own dev keys with the social connection, or the rule will fail. Using email/password combination works just fine no matter the situation.